BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
(void)hinst;
(void)reserved;
if (dwReason == DLL_PROCESS_ATTACH) {
#if defined(USE_SYELOG)
// open log
SyelogOpen("clcoffee", SYELOG_FACILITY_APPLICATION);
#endif
// get xorvalue && filename
const char* xorvalueStr = getenv("CLCOFFEE_VALUE");
const char* fileStr = getenv("CLCOFFEE_FILE");
if (xorvalueStr && fileStr) {
XORVALUE = hex2dec(xorvalueStr[0])*16 + hex2dec(xorvalueStr[1]);
SOURCEFILE = cstr2wstr(fileStr);
}
#if defined(USE_SYELOG)
// open log
Syelog(SYELOG_SEVERITY_INFORMATION, "XORVALUE: 0x%X, SOURCEFILE: %ls\n", XORVALUE, SOURCEFILE);
#endif
// detour it
Mhook_SetHook((PVOID*)&Real_CreateFileW, Mine_CreateFileW);
Mhook_SetHook((PVOID*)&Real_ReadFile, Mine_ReadFile);
Mhook_SetHook((PVOID*)&Real_CloseHandle, Mine_CloseHandle);
#if defined(USE_SYELOG)
if (error == NO_ERROR) {
Syelog(SYELOG_SEVERITY_INFORMATION, "Detoured ok: %d\n", error);
} else {
Syelog(SYELOG_SEVERITY_INFORMATION, "Error detouring: %d\n", error);
}
#endif
}
else if (dwReason == DLL_PROCESS_DETACH) {
Mhook_Unhook((PVOID*)&Real_CreateFileW);
Mhook_Unhook((PVOID*)&Real_ReadFile);
Mhook_Unhook((PVOID*)&Real_CloseHandle);
free(SOURCEFILE);
SOURCEFILE = 0;
#if defined(USE_SYELOG)
Syelog(SYELOG_SEVERITY_INFORMATION, "Removed detour: %d\n", error);
SyelogClose(FALSE);
#endif
}
return TRUE;
}
//=========================================================================
// This is where the work gets done.
//
int wmain(int argc, WCHAR* argv[])
{
HANDLE hProc = NULL;
// Set the hook
if (Mhook_SetHook((PVOID*)&TrueNtOpenProcess, HookNtOpenProcess)) {
// Now call OpenProcess and observe NtOpenProcess being redirected
// under the hood.
hProc = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %d\n", GetLastError());
}
// Remove the hook
Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
}
// Call OpenProces again - this time there won't be a redirection as
// the hook has bee removed.
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %d\n", GetLastError());
}
// Test another hook, this time in SelectObject
// (SelectObject is interesting in that on XP x64, the second instruction
// in the trampoline uses IP-relative addressing and we need to do some
// extra work under the hood to make things work properly. This really
// is more of a test case rather than a demo.)
if (Mhook_SetHook((PVOID*)&TrueSelectObject, HookSelectobject)) {
// error checking omitted for brevity. doesn't matter much
// in this context anyway.
HDC hdc = GetDC(NULL);
HDC hdcMem = CreateCompatibleDC(hdc);
HBITMAP hbm = CreateCompatibleBitmap(hdc, 32, 32);
HBITMAP hbmOld = (HBITMAP)SelectObject(hdcMem, hbm);
SelectObject(hdcMem, hbmOld);
DeleteObject(hbm);
DeleteDC(hdcMem);
ReleaseDC(NULL, hdc);
// Remove the hook
Mhook_Unhook((PVOID*)&TrueSelectObject);
}
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved) // reserved
{
// Perform actions based on the reason for calling.
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
// Initialize once for each new process.
// Return FALSE to fail DLL load.
m_fptr = fopen("C:\\HelloQQ.txt", "a");
Mhook_SetHook((PVOID*)&TrueGetStatus, HookGetStatus);
break;
case DLL_PROCESS_DETACH:
// Perform any necessary cleanup.
if (m_fptr)
{
fclose(m_fptr);
m_fptr = NULL;
}
Mhook_Unhook((PVOID*)&TrueGetStatus);
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}
//=========================================================================
// This is where the work gets done.
//
int _tmain(int argc, WCHAR* argv[])
{
HANDLE hProc = NULL;
TrueNtOpenProcess = (_NtOpenProcess)GetProcAddress(GetModuleHandleW(L"ntdll"), "NtOpenProcess");
// Set the hook
if (Mhook_SetHook((PVOID *)&TrueNtOpenProcess, HookNtOpenProcess)) {
// Now call OpenProcess and observe NtOpenProcess being redirected
// under the hood.
hProc = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, GetCurrentProcessId());
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %lu\n", GetLastError());
}
}
else
{
printf("Mhook_SetHook false\n");
}
// Call OpenProces again - this time there won't be a redirection as
// the hook has bee removed.
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2624);
if (hProc) {
printf("Successfully opened self: %p\n", hProc);
CloseHandle(hProc);
} else {
printf("Could not open self: %lu\n", GetLastError());
}
getchar();
// Remove the hook
Mhook_Unhook((PVOID*)&TrueNtOpenProcess);
return 0;
}
void jmp_end(void)
{
if (TrueSetUnhandledExceptionFilter)
{
Mhook_Unhook((PVOID*)&TrueSetUnhandledExceptionFilter);
}
return;
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
wchar_t *pos = NULL;
wchar_t pathToExe[MAX_PATH];
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH:
// get the path to this dll, log file will be saved as <PATH>\Application.exe.txt
// so each application will have it's own log file
GetModuleFileNameW((HINSTANCE)&__ImageBase, pathToLog, MAX_PATH);
// currently i don't really care about actuall path being longer than MAX_PATH
pos = wcsrchr(pathToLog,'\\');
*++pos = '\0';
pos = NULL;
if(GetModuleFileName(NULL,pathToExe,MAX_PATH)){
pos = wcsrchr(pathToExe,'\\');
*++pos;
}
if(pos != NULL){
wcscat_s(pathToLog,MAX_PATH,pos);
wcscat_s(pathToLog,MAX_PATH,L".txt");
}else{ // clumsy , i know
wcscat_s(pathToLog,MAX_PATH,L"winscard.txt");
}
// place all needed hooks
Mhook_SetHook((PVOID*)&OrigLoadLibraryA, HookedLoadLibraryA);
Mhook_SetHook((PVOID*)&OrigLoadLibraryW, HookedLoadLibraryW);
Mhook_SetHook((PVOID*)&OrigLoadLibraryExW, HookedLoadLibraryExW);
Mhook_SetHook((PVOID*)&OrigLoadLibraryExA, HookedLoadLibraryExA);
break;
case DLL_PROCESS_DETACH:
Mhook_Unhook((PVOID*)&OrigLoadLibraryA);
Mhook_Unhook((PVOID*)&OrigLoadLibraryW);
Mhook_Unhook((PVOID*)&OrigLoadLibraryExA);
Mhook_Unhook((PVOID*)&OrigLoadLibraryExW);
if(ALREADY_HOOKED){
//unhook winscard too
Mhook_Unhook((PVOID*)&OrigSCardTransmit);
ALREADY_HOOKED = false;
}
break;
}
return TRUE;
}
void safe_end(void)
{
if (TrueLoadLibraryExW)
{
Mhook_Unhook((PVOID*)&TrueLoadLibraryExW);
}
if (TrueCreateProcessInternalW)
{
Mhook_Unhook((PVOID*)&TrueCreateProcessInternalW);
}
if (TrueNtCreateUserProcess)
{
Mhook_Unhook((PVOID*)&TrueNtCreateUserProcess);
}
if (TrueNtWriteVirtualMemory)
{
Mhook_Unhook((PVOID*)&TrueNtWriteVirtualMemory);
}
return;
}
void UninstallHooks()
{
BOOL failed = false;
for(size_t i = 0; i < g_FunctionsCount; ++i)
{
if (g_Functions[i].OriginalFunction)
failed = failed || !Mhook_Unhook(g_Functions[i].OriginalFunction);
}
if (failed)
throw std::runtime_error("UninstallHooks was failed to remove one or more hooks");
}
bool Hook::unsetHook()
{
BOOL unHookResult;
int count = 0, max = 3;
do
{
if (count == max)
break;
else
unHookResult = Mhook_Unhook((PVOID*)&this->TrueCreateFile);
++count;
} while ((!unHookResult));
return unHookResult;
}
BOOL WINAPI DllMain(
__in HINSTANCE hInstance,
__in DWORD Reason,
__in LPVOID Reserved
)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
//Mhook_SetHook((PVOID*)&OriginalNtQuerySystemInformation, HookedNtQuerySystemInformation);
Mhook_SetHook((PVOID*)&loclTimeFun, HookedLocalTime);
Mhook_SetHook((PVOID*)&fileTimeFun,HookedFileTime);
break;
case DLL_PROCESS_DETACH:
//Mhook_Unhook((PVOID*)&OriginalNtQuerySystemInformation);
Mhook_Unhook((PVOID*)&loclTimeFun);
Mhook_Unhook((PVOID*)&fileTimeFun);
break;
}
return TRUE;
}
/* uninstall hook and clean up */
void WINAPI undo_it(void)
{
if (ff_info.atom_str)
{
UnregisterHotKey(NULL, ff_info.atom_str);
GlobalDeleteAtom(ff_info.atom_str);
}
if (TrueSHGetFolderPathW)
{
Mhook_Unhook((PVOID*)&TrueSHGetFolderPathW);
}
if (TrueSHGetSpecialFolderPathW)
{
Mhook_Unhook((PVOID*)&TrueSHGetSpecialFolderPathW);
}
if (TrueSHGetSpecialFolderLocation)
{
Mhook_Unhook((PVOID*)&TrueSHGetSpecialFolderLocation);
}
jmp_end();
safe_end();
return;
}
void UnhookCrypt() {
if (gCryptHooked) {
Mhook_Unhook((PVOID*)&SavedCryptGenKey);
}
}
BOOL Mhook_UnhookEx(PVOID ppHookedFunction) {
PVOID * p = ppHookedFunction == NULL ? NULL : (PVOID*)&ppHookedFunction;
return Mhook_Unhook(p);
}
SmileyCreateHook::~SmileyCreateHook(void)
{
Mhook_Unhook((PVOID*)&TrueProgIDFromCLSID);
Mhook_Unhook((PVOID*)&TrueCoCreateInstance);
}
